< Home

Understanding Port Security

Classification of Secure MAC Addresses

Secure MAC addresses are classified as dynamic secure MAC addresses, static secure MAC addresses, or sticky MAC addresses.

Table 1 Classification of secure MAC addresses

Type

Description

Characteristics

Dynamic secure MAC address

MAC addresses that are learned on an interface where port security is enabled but the sticky MAC address function is disabled.

Dynamic secure MAC addresses are lost after the device restarts and must be learned again.

By default, dynamic secure MAC addresses are not aged out. They can be aged if an aging time is set for them.

Dynamic secure MAC addresses can be aged using either absolute aging or relative aging.

  • Absolute aging time: If the value is set to 5 minutes, the system calculates the lifetime of each MAC address every minute. If the lifetime is longer than or equal to 5 minutes, the secure dynamic MAC address is aged immediately. If the lifetime is shorter than 5 minutes, the system determines whether to delete the secure dynamic MAC address after 1 minute.
  • Relative aging time: If the value is set to 5 minutes, the system checks whether there is traffic from a specified dynamic secure MAC address every minute. If no traffic is received from the secure dynamic MAC address, this MAC address is aged out 5 minutes later.

Static secure MAC address

MAC addresses that are manually configured on an interface where port security is enabled.

Static secure MAC addresses are not aged out. The static secure MAC addresses that are saved manually are not lost after the device restarts.

Sticky MAC address

MAC addresses that are learned on an interface where both the port security and sticky MAC address functions are enabled.

Sticky MAC addresses are not aged out. The sticky MAC addresses that are saved manually are not lost after the device restarts.

Impact of Port Security and Sticky MAC Address Functions on MAC Address Entries

When port security or the sticky MAC address function is enabled or disabled, existing MAC addresses on an interface are changed or deleted. For details, see the following table.

Function

Enabled

Disabled

Port security

After port security is enabled, existing dynamic MAC address entries on the interface are deleted. MAC address entries learned subsequently are changed into dynamic secure MAC address entries.

After port security is disabled, existing dynamic secure MAC address entries on the interface are deleted. MAC address entries learned subsequently are dynamic MAC address entries.

Sticky MAC address function

After the sticky MAC address function is enabled, existing dynamic secure MAC address entries on the interface are changed into sticky MAC address entries. MAC address entries learned subsequently are sticky MAC address entries.

After the sticky MAC address function is disabled, existing sticky MAC address entries on the interface are changed into dynamic secure MAC address entries.

Actions to Take After the Number of Secure MAC Addresses Exceeds the Limit

After the number of secure MAC addresses reaches the limit, the switch considers that the packets with a nonexistent source MAC address are sent from an unauthorized user, regardless of whether the destination MAC address of the packets is valid. The switch then takes the configured action on the interface. In this scenario, the switch discards the packets and generates a trap by default.

Table 2 Port security actions

Action

Description

restrict

Discards packets with a nonexistent source MAC address and generates a trap. This action is recommended.

protect

Discards packets with a nonexistent source MAC address but does not generate a trap.

shutdown

Sets the interface state to error-down and generates a trap.

By default, an interface in error-down state can only be restored using the restart command in the interface view.

To enable an interface in error-down state to automatically go Up after a period of time, run the error-down auto-recovery cause port-security interval interval-value command in the system view. In this command, interval-value specifies the period of time after which an interface can automatically go Up.

To view trap information, run the display trapbuffer command or log in to the NMS.

Actions to Take When Static MAC Address Flapping Occurs

Secure MAC addresses are also static MAC address. On a switch with static MAC address flapping detection configured, when an interface receives a packet whose source MAC address exists in a static MAC address table on another interface, the switch considers that static MAC address flapping has occurred. The switch then takes the configured port security action on the receiving interface according to the configuration.

Table 3 Port security actions

Action

Description

restrict

Discards the packet triggering the static MAC address flapping and generates a trap. This action is recommended.

protect

Discards the packet triggering the static MAC address flapping but does not generate a trap.

shutdown

Sets the interface state to error-down and generates a trap.

By default, an interface in error-down state can only be restored using the restart command in the interface view.

To enable an interface in error-down state to automatically go Up after a period of time, run the error-down auto-recovery cause port-security interval interval-value command in the system view. In this command, interval-value specifies the period of time after which an interface can automatically go Up.

To view trap information, run the display trapbuffer command or log in to the NMS.

Parent Topic: Port Security Configuration
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >